By Gerald L. Maatman, Jr. and Jennifer Riley
Duane Morris Takeaway: Privacy litigation – in a multitude of forms and theories – revealed itself as the hottest area of growth in terms of activity by the plaintiffs’ class action bar in 2022. The new year started off with a huge privacy ruling from the Illinois Supreme Court in Tims, et al. v. Black Horse Carriers, Case No. 127801 (Ill. Feb. 2, 2023), in which it held that a five-year statute of limitations applies to BIPA claims.
The Illinois Biometric Privacy Act Continued To Drive Lawsuits
In 2022, the plaintiffs’ class action bar continued to focus on businesses and vendors utilizing biometric technology and filed numerous class action lawsuits based on the Illinois Biometric Information Privacy Act, 740 ILCS 14/15 (BIPA).
Enacted in 2008, the BIPA regulates the collection, use, and handling of biometric identifiers and information by private entities. Subject to limited exceptions, the BIPA generally prohibits the collection or use of an individual’s biometric identifiers and biometric information without notice, written consent, and a publicly-available retention and destruction schedule.
Although Texas and Washington have implemented similar biometric protections, the BIPA provides for a private cause of action with aggressive statutory penalties allowing for $1,000 per violation and $5,000 per intentional or reckless violation. Because of this damages provision, the plaintiffs’ bar files almost all BIPA lawsuits as class actions. Plaintiffs have focused more than one-third of BIPA cases on fingerprinting and have focused roughly a quarter on facial recognition surveillance.
The most noteworthy BIPA case of the year was Rogers, et al. v. BNSF Railway Co., Case No. 19-CV-3083 (N.D. Ill.), the first federal jury trial in a case brought under the BIPA. After a week-long trial in the U.S. District Court for the Northern District of Illinois, a jury found that BNSF recklessly or intentionally violated the law 45,600 times and entered a verdict in favor of the class of 45,000 workers. The court thereafter awarded damages against BNSF of $228 million. BNSF subsequently filed a motion for a new trial arguing that none of the 45,000 class members suffered any actual harm and raising constitutional concerns about the BIPA. That motion remains pending for decision, and is almost sure to result in an appeal in 2023.
As BIPA class actions proliferate and businesses struggle to defeat such claims, the Illinois Supreme Court in early 2023 clarified the scope of the statute of limitations applicable to the BIPA in Tims, et al. v. Black Horse Carriers, Case No. 127801 (Ill. Feb. 2, 2023). The Illinois Supreme Court held that a five-year statute of limitations applies to claims under the BIPA. This ruling adds to the risks for employers and companies who do business in Illinois in terms of BIPA class action exposures. Given that the BIPA statute does not have an explicit statute of limitations, the Illinois Supreme Court’s ruling now provides clarity for litigants and attorneys in this space as to the scope of the putative classes in their lawsuits.
If employers have not already done so, now is time to make sure their timekeeping procedures and consent policies are legally compliant. The Tims ruling is apt to increase the plaintiff class action bar’s appetite for BIPA claims, so it is more important than ever for employers to make sure their procedures are legally sound
The Illinois Supreme Court is also due to issue its decision in Cothron v. White Castle System, Inc., No. 1280004 (Ill.), which will decide whether each fingerprint scan is its own discrete violation. An adverse finding in Cothron could enhance BIPA class action exposures. In Cothron, et al. v. White Castle Systems, 2021 U.S. App. LEXIS 37593 (7th Cir. Dec. 20, 2021), the Seventh Circuit asked the Illinois Supreme Court to provide much-needed clarification on the accrual of BIPA violations, specifically whether certain BIPA claims accrue only once upon the initial collection or disclosure of biometric information or whether a claim accrues each time a company collects or discloses biometric information.
The Illinois Supreme Court likely will rule on these key BIPA matters in the early part of 2023 and the statute will continue to drive class action litigation. Its technical requirements, combined with stiff statutory penalties and fee-shifting, provide a recipe for attention from the plaintiff’s class action bar, and companies’ continued development and use of innovative technologies are apt to provide a veritable barrel of opportunity.
Class Action Suits Alleging Wiretapping Violations
A new wave of class action lawsuits filed in California, Florida, Massachusetts, and Pennsylvania targeted companies that use technologies to track user activity on their websites, based on the theory that such practices violate electronic interception provisions of various state laws when done without consent.
The plaintiffs’ bar grounded these claims in the electronic interception provisions of various state laws. Wiretap statutes like the California Invasion of Privacy Act, the Pennsylvania Wiretapping and Electronic Surveillance Act, and the Florida Security of Communications Act generally prohibit the unauthorized interception or disclosure of communications transmitted electronically.
The plaintiffs’ bar targeted technologies that track a user’s interactions with the website (e.g., clicking, scrolling, swiping, hovering and typing) and create a recording of those interactions and inputs – known as session replay software. They also attacked coding tools that create and store transcripts of conversations with users in a website’s chat feature. The plaintiffs in this new string of class actions allege that recording their interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy.
Recent decisions from the Ninth and Third Circuits fueled the swell of lawsuits alleging violations of these wiretap statutes. In May 2022, in Javier, et al. v. Assurance IQ, LLC, 2022 U.S. App. LEXIS 14951 (9th Cir. May 31, 2022), the Ninth Circuit held that the California Invasion of Privacy Act requires prior consent and explicitly rejected the argument that this wiretap statute allows a business to obtain consent to the use of session replay software after the recording already has begun. The Ninth Circuit, however, did not comment on what would amount to effective consent to the use of session reply software under the wiretap statute.
A few months later, the Third Circuit in Popa, et al. v. Harriet Carter Gifts, 2022 U.S. App. LEXIS 22707 (3d Cir. Aug. 16, 2022), ruled that an electronic interception violating the Pennsylvania Wiretapping and Electronic Surveillance Act occurred when the plaintiff visited a website to purchase a product and her interactions on that site were recorded and transmitted to a third-party marketing firm.
The Third Circuit concluded that the location of the interception was plaintiff’s browser, and it rejected the defendants’ argument that the wiretap statute did not apply because the third-party marketing firm’s servers – where the information was sent – were located in Virginia. If other circuits follow the Third Circuit’s approach, it could subject companies to liability under a state wiretap statute each time a user accesses its website from that state.
In each of the three lawsuits brought thus far in Pennsylvania, the class consisted of allegedly more than 5,000 individuals. This new wave of lawsuits alleging wiretap violations threatens to subject businesses to a substantial amount in penalties, including fines ranging from $1,000 to $50,000 per violation, depending on the state. If a violation occurs every time a user accesses a website in one of these states, the amount of penalties to which a company may be subject can balloon quickly.
More State Legislation Created And Expanded Data Privacy Rights
While Congress has refrained from addressing data privacy through federal legislation, many states have enacted their own laws, and 2022 saw significant state legislative activity regarding data privacy with five states preparing for new privacy laws to take effect in 2023, including California, Colorado, Connecticut, Utah, and Virginia.
On the heels of California’s enactment of the California Consumer Privacy Act (CCPA) in 2020, California businesses will need to comply with all requirements of the California Privacy Rights Act (CPRA) effective January 1, 2023. The CPRA expands the current CCPA private right of action by authorizing consumers to bring lawsuits arising from data breaches involving additional categories of personal information and is arguably the strictest data privacy law in the United States, which places California privacy law closer, in many respects, to Europe’s GDPR. With potential statutory damages ranging from $100 to $750 per consumer per incident, and breaches often involving hundreds of thousands or even millions of users, these types of claims will almost certainly lead to a sharp rise in class action litigation.
Virginia, Colorado, Connecticut, and Utah likewise enacted sweeping data privacy laws that will roll out in 2023. These laws are all similar in structure, but unlike California’s statute, which allows an individual to sue a company for alleged violations, enforcement will be left to the respective state attorneys general. Each of these laws provides for expanded consumer rights related to their data, including: (i) Right of access (i.e., allows for a consumer to access from a business/data controller the information or categories of information collected about a consumer); (ii) Right of deletion (i.e., right for a consumer to request deletion of personal information about the consumer under certain conditions; (iii) Right to opt-out (i.e., allows for a consumer to opt out of the sale of personal information about the consumer to third parties); (iv) Right of portability (allows for a consumer to request personal information about the consumer be disclosed in a common file format); and (v) Notice and transparency requirements (i.e., an obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs).
The approach each state attorney general takes regarding enforcement of these new laws will provide lessons for other states looking to regulate consumer privacy in the absence of a federal standard and almost certainly will be closely monitored by the plaintiffs’ bar, as it attempts to draw from favorable rulings and to anticipate which state will enact the next plaintiff-friendly data privacy laws. 28 U.S.C. §1292(b), Rule 23(f) does not require the district court to certify an issue for appeal. Moreover, Rule 23(f) does not include the potentially limiting requirements of Section 1292(b), under which the district court can certify an issue for appeal only where an order “involve[s] a controlling question of law as to which there is substantial ground for difference of opinion” and where “an immediate appeal from the order may materially advance the ultimate termination of the litigation.”
Finally, class action litigants can appeal final orders issued by the district court under 28 U.S.C. § 1291, which states that “courts of appeals (other than the United States Court of Appeals for the Federal Circuit) shall have jurisdiction of appeals from all final decisions of the district courts of the United States.”